What happens that in case you enter a wrong username that username is removed after the login attempt. However if you enter a correct username that username stays visible in the login screen.
Both attempts also generate a different error message explaining that you either provided the wrong username and or password or the wrong password. In the latter case wordpress indirectly is telling you that you entered the valid and correct username (stupid if i may say so).
All is caused by this piece of code in the wp-login.php where it checks the error message and depending on that error message keeps or removes the username, making it possible to reveal a valid username.
if ( isset($_POST['log']) )
$user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';How to deal with this?
1) We have to tell WordPress a different error message on a false login
First we add a filter to the authentication and within that filter we change the error report status.
Instead of “invalid password” we return “invalid username” and thus misleading the wordpress system so it removes the username from the login screen when either a incorrect password or username is entered.
To accomplish the trick you have to add the code below to the theme functions.php
/* Change the wordpress login error message on incorrect password only */
function wp_modify_login_error_incorrect_password($user) {
if ( is_wp_error( $user ) ) {
$error_string = $user->get_error_message();
if ($user->get_error_code()=='incorrect_password') {
$user = new WP_Error( 'invalid_username', $error_string);
}
}
return $user;
}
add_filter('authenticate', 'wp_modify_login_error_incorrect_password', 25, 1);The only difference to the original wordpress code is that we tell the login-screen that although we have a incorrect_password that we have a invalid_username. And that is exactly the only change we make to the error code returned (below is a image with the original and changed code to explain the trick).
Note : The original code is located in the \wp-includes\user.php starting around line 71.
2) Change the error notifications so they don’t reveal information.
Changing that error code alone however is still not enough. WordPress still reveals the correct username by the error message it presents on return and thus giving the attacker just enough information he needs to discover a valid username. So altering the error message to a message that does not reveal any information is advisable.
We have two ways todo this, either we remove the complete message (solution 2a) or we change the message into a generic one (solution 2b).
2a) Removing the default login error messages.
This requires to add this filter to your theme functions.php
add_filter('login_errors',create_function('$a', "return null;"));2b) Changing the login error messages both into a generic one.
For changing the login error-message to a generic requires to add this filter to the theme functions.php
function error_message_failed_login() {
return 'The login information entered is incorrect.';
}
add_filter('login_errors', 'error_message_failed_login');3) Optional you can hide the remember me checkbox from the wp-login form
The next step is to hide the remember me checkbox from the loginscreen for which you need to add this to the theme functions.php
add_action('login_head', 'remove_remember_me');
function remove_remember_me()
{
echo '<style type="text/css">.forgetmenot { display:none; }</style>' . "\n";
}Now let us put all into a plugin.
Of course you can create a plugin with all these code changes in it. Create a php file from the code below and upload the plugin into a subfolder of the wordpress plugins folder.
<?php
/*
Plugin Name: WP Modify Login Error Message
Plugin URI: http://www.backups.nl/
Description: Wordpress Modify Login Error Message. Modify the login error message result to prevent WordPress from revealing a valid login name (admin)
Version: 1.0
Author: BackuPs
Author URI: http://www.backups.nl/
Email Address : my email address
License: GPL2
*/
/* change default login error message */
function error_message_failed_login() {
return 'The login information entered is incorrect.';
}
add_filter('login_errors', 'error_message_failed_login');
/* remove the remember me checkbox from the login screen*/
function remove_remember_me()
{
echo '<style type="text/css">.forgetmenot { display:none; }</style>' . "\n";
}
add_action('login_head', 'remove_remember_me');
/* Change the wordpress login error message on incorrect password only */
function wp_modify_login_error_incorrect_password($user) {
if ( is_wp_error( $user ) ) {
$error_string = $user->get_error_message();
if ($user->get_error_code()=='incorrect_password') {
$user = new WP_Error( 'invalid_username', $error_string);
}
}
return $user;
}
add_filter('authenticate', 'wp_modify_login_error_incorrect_password', 25, 1);
?>I have seen many video’s and instructions telling you to create a new admin, login and delete the old admin. Video’s that instruct you to create a admin with a name like ‘youdonotfindme’. Plugins like “Better WP Security” suggesting you to change the id and name. And they are all right to some extend. But the thing is that as long as your author pages can be called and you wrote articles with the admin username they are able to find you!! (even if the admin did not write a single article).
How to fix that you can read here : WordPress changing the Admin ID / Hiding author pages
